[Firehol-support] Firehol centralised on router with Wifi AP

Kjetil Kjernsmo kjetil at kjernsmo.net
Sun Sep 11 22:47:36 BST 2016 

Hi all!

I've been using FireHOL on my router and firewall box for a while now for 
my home network, and it was great finding something making it that easy to 
set up. I'm still on 1.297 though, as it is a Debian Stable box.

Now to my next problem: My router has a 5 ethernet interfaces, and where 
eth2 connects to a Wifi accesspoint, namely a Ubiquity UniFi AP. However, I 
would like to have all firewall rules on the router box, and additionally, 
I'd like to divide the connecting devices into authorized and unauthorized 
classes, where the authorized devices has the pretty much full access to 
the LAN, at eth1. Those two requirements creates some problems, that I 
hope someone can help me resolve :-)

My initial idea was just to keep the AP open for all, and just use OpenVPN 
for all devices. Enabling OpenVPN on my mobile phone required setting a 
PIN though. I did that, but the rest of the family most certainly can't be 
bothered. Also, my security requirements aren't high, there are no huge 
business secrets here, we live rurally (I don't expect Google to drive by 
any time soon :-) ) and the signal is barely detectable outside the walls. 
This calls for fewer hoops. :-)

Now, I've configured the AP to have a public clear-text essid and an 
encrypted private one.

Then, my next idea was to use Dnsmasq where I gave each known device an IP 
based on their MAC, and the idea was that unknown devices would be 
dynamically assigned outside of this range. Then, I could use those ranges 
in the firewall config. Apparently, Dnsmasq don't work that way, it cannot 
guarantee that dynamically assigned IPs are outside of the static range 
for a given interface.

Now, rather come up with more silly ideas, I suppose it is time to ask for 
help... :-) Is it possible to allow both unknown and known users at the AP 
without firewalling them there and at the firewall allow known users to 
access the LAN? Without making the known users jump through too many 
hoops? 

I just has another idea that I don't know whether can work: Could I have 
the AP mark packages from the known devices and then use that mark in the 
firewall? That would certainly not be the perfect solution, but possibly 
good enough.

Or something else entirely?

Best,

Kjetil

More information about the Firehol-support mailing list